Security experts give e-voting thumbs down

A team of academic security researchers says Internet voting should be shelved until the Internet becomes more secure.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
3 min read
Four computer security experts have warned proponents of Internet voting that such systems cannot be secured against fraud.

The experts--three computer science professors and a former IBM researcher--said Wednesday that creating an e-voting system that both guarantees each person votes once and protects the voter's identity is impossible on the current Internet system.

Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

"Basing a voting system on the Internet poses unavoidable risks of voting fraud and privacy risks," said David Wagner, an associate professor of computer science at the University of California at Berkeley. "They are unavoidable and can't be fixed."

The report comes as the U.S. Department of Defense prepares to launch the Secure Electronic Registration and Voting Experiment (SERVE), a system that will let absentee military voters in 50 counties in seven states place their votes; the inauguration of the technology will occur with South Carolina's presidential primary on Feb. 3. Eventually, the program will be expanded to handle the votes of nearly 6 million U.S. military personnel and civilians abroad.

Early elections may dodge any online attacks because the number of potential voters will initially be small, according to the security experts. However, early successes could lead to widespread adoption of the system, which would eventually leave entire elections open to attack, the report said.

"If you vote from an insecure home computer over an insecure network, you have an insecure election," Wagner said.

The worries over Internet voting build upon ongoing concerns over the security and reporting features of e-voting machines. The issues have cast a cloud of uncertainty over the upcoming election season, forcing ballot machine vendors to address a host of complaints over their products amid signs of an escalating voter backlash.

The SERVE project is designed to gather data on whether Internet voting will significantly help bring overseas citizens to the virtual ballot box.

"This is a group of voters that is extremely disenfranchised today," said Meg McLaughlin, president of eDemocracy Services for technology consultancy Accenture. She added that as many as 50 percent of overseas voters don't vote because the current system is too complex. The Defense Department contracted Accenture to build the SERVE system.

Wagner and the other authors of the report were four of the 10 security researchers who analyzed the planned system at the request of the Federal Voting Assistance Program (FVAP), a branch of the Defense Department. The six other members believed the system could work, said Glenn Flood, a spokesman for FVAP.

"Security is something that we have been concerned about from the beginning," he said, adding that the department and its contractors took security advice into account. "We didn't just learn about these concerns today."

Moreover, Accenture's McLaughlin stressed that the SERVE system was designed to be an experiment to collect data on voter reactions to casting ballots online.

"There is nothing to say that we are going to expand this to 6 million voters," she said. "You would have to have 50 state legislatures pass enabling legislation."

Another researcher on the 10-member review committee said that the report's authors seem to be in the minority for not supporting at least the experimental stage of Internet voting.

"The SERVE system is the best one that I have seen to date," said Michael Alvarez, a professor of political science at the California Institute of Technology. "There is a lot of infrastructure in place to prevent attacks and compromises. Also, there are going to be many procedural controls in place to detect, prevent and deal with these kinds of concerns."

Alvarez, who has a contract from the Defense Department to evaluate the SERVE experiment, said it's too early to pass judgment on the program.

"It could be that the recommendation in that report will be, 'No, we don't think the system should proceed,'" he said. "We won't know until after the experiment is over."